changelog-generator
Pass
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it instructs the agent to ingest and process data from external, untrusted sources such as git history, diffs, pull request titles, and existing changelog files. An attacker with the ability to commit to the repository could embed malicious instructions in these sources to manipulate the agent's output.
- Ingestion points: Untrusted data enters the context via git log, merged pull requests, and CHANGELOG.md in SKILL.md.
- Boundary markers: No explicit delimiters or 'ignore embedded instructions' warnings are provided for the source data.
- Capability inventory: The skill assumes access to repository tools and file systems to read logs and write changelogs.
- Sanitization: There is no evidence of sanitization, escaping, or validation of the external content before processing.
Audit Metadata